A '''''dictionary attack''''' is form of lookup attack used to crack passwords even when the passwords have been sent through a hash function. The attack is conducted by first obtaining hashed passwords, then comparing the hash against a dictionary (a table of popular passwords that have already been hashed using the same function). For example, in the table below, some commonly used passwords have been sent through an MD5 hash function. Even though you can't reverse the hash to derive the original password, you can compare the hash in the dictionary against the hash from the password file to determine the password.

+

A '''''dictionary attack''''' is form of lookup attack used to crack passwords even when the passwords have been obscured with a hash function. The attack is conducted by first obtaining the hashed passwords, then comparing them against the hashes in a dictionary (a table of popular passwords that have already been hashed using the same function). For example, in the table below, some commonly used passwords have been sent through an MD5 hash function. The result is a long string of hexadecimal values that cannot be reversed back to their original passwords. However, even though they can't be reversed, it's still possible to determine what they are by running your own hash and comparing the results.

{| class="wikitable" |

{| class="wikitable" |

Revision as of 10:30, 16 October 2017

A dictionary attack is form of lookup attack used to crack passwords even when the passwords have been obscured with a hash function. The attack is conducted by first obtaining the hashed passwords, then comparing them against the hashes in a dictionary (a table of popular passwords that have already been hashed using the same function). For example, in the table below, some commonly used passwords have been sent through an MD5 hash function. The result is a long string of hexadecimal values that cannot be reversed back to their original passwords. However, even though they can't be reversed, it's still possible to determine what they are by running your own hash and comparing the results.

Password

MD5 Hash

abc123

E99A18C428CB38D5F260853678922E03

admin

21232F297A57A5A743894A0E4A801FC3

god

A4757D7419FF3B48E92E90596F0E7548

password

5F4DCC3B5AA765D61D8327DEB882CF99

password1

7C6A180B36896A0A8C02787EEAFB0E4C

secret

5EBE2294ECD0E0F08EAB7690D2A6EE69

Note that MD5 is not a cryptographically secure hash function and should never be used to store password.

Dictionary attacks are made more difficult to use if the hash function employs a salt value, but the if the salt value is discovered, the dictionary can be regenerated with the same salt.